W3C

STRINT: Strengthening the Internet Against Pervasive Monitoring
Minutes from Day 1

28 February 2014, see Workshop homepage

See also:

Attendees

Present
See attendees list
Chairs
Stephen Farrell, Hannes Tschofenig, Rigo Wenning
Scribe
Nick Doty, Philipp Hallam-Baker, Karen O'Donoghue

Contents


<bortzmeyer> While waiting for the workshop, an opinion about Internet governance (warning: high level of trollness) http://www.usnews.com/opinion/blogs/peter-roff/2014/02/25/will-obama-abandon-internet-freedom

<hildjj> getting started

Stephen Farrell introducing the workshop

<swb> audio?

<wseltzer> Date: 28 February, 2014

<wseltzer> moneill2, audio will be at http://nagasaki.bogus.com:8000/stream10

<MacroMan> Does anyone know if the streaming audio is being recorded for later listening?

<rigo> 66 submissions, around 150 people having submitted thoughts, only 100 had place, apologies to the others

Hardware failure in the audio, under way to fix

<swb> audio is working on that url

<MacroMan> Is it being recorded too?

<wseltzer> Slide presentations

<pde> a pity that this server doesn't accept secure connections from non-w3c members :)

<swb> +1

larrymasinter: not sure where we talk about other applications

<wseltzer> pde, I'll send a sysreq

sfarrell: maybe in the metadata session to talk about what isn't sent, not just encryption

<swb> Is anyone acting as go-between, so we can possibly insert comments into the meeting?

dcrocker: expand scope beyond just SIP, Jabber, email

dgilmore: coordination deprecation of existing algorithms

s/dgillmore/dgillmor/

kaplan: not just deprecating algorithms, but updating running software

<grothoff> When are we going to talk about deprecating TCP/IP?

elliotlear: if you're raising security questions, are you answering the generic security problem or just pervasive monitoring? please be specific

farrell: a problem on perpass as well

brian trammel: a lot of boxes out there, operational considerations; but also business model considerations, if the email provider needs to be able to read your email, that's probably not going to work

<dcrocker> small correction: i'm suggesting expanding scope beyond the bulltetd goals item for web architecture concerns, to cover the other major architectures/services/

<Ted_> brian trammel was the @@ speaker

scribe: some things we'll have to leave out for this workshop

pde: good to start with some threat modeling, some problems are low-hanging fruit, encryption by default even if you're not protected against active attackers
... should have been done long ago
... next step would be detecting active attacks when they're happening
... 1) encrypt everything; 2) detect MITM; 3) address service provider business models etc

Orit Levin: choose different terminology than opportunistic encryption, instead focus on the specific technology

farrell: fix the different uses of that terminology, need to have a common understanding of that term, one goal for this workshop

<bortzmeyer> grothoff: we talk about strengthening the Internet, not replacing it by a new (GNU?) network

phil: won't create a new technology right now or even in the next 6 months; traditionally security area has demanded perfection against attackers focused on a single person, current problem is less like that

stevekent: should separate threat model and suggested solutions

<swb> That's Steve Kent

JoeHallCDT: not a lot of thinking in IETF about anonymity and building that into protocols, we're going to be doing some work on that

<grothoff> bortzmeyer: and I thought you were serious about addressing issues like PRISM and other NSA programs, not just verbally reassuring users.

<swb> wow, there's a lot of buffering in the audio. npdoty gets his comments out as the person starts talking :)

richardbarnes: it is important to come out with actionable stuff; areas where we need to work (like anonymity) that are fairly actionable

BernardAboba: need to think about why a new proposal will be deployed when past solutions haven't been; understand the motivations of what determines deployment

farrell: encourage deployers to speak up

<smb> The scribe is using the thiotimoline interface.

leon_kaplan: many organizations are just small organizations with a single sysadmin; they don't have the resources; we need to give some good advice they can copy and paste

Achim Klabunde: european data protection supervisor; we could enforce some compliance theoretically; good things are there but not used or they are misunderstood and that isn't solvable by IETF/W3C

… work on this with volunteers to see how this can be improved
... look at technologies beyond encryption, like minimization

stevebellovin: should be looking for a 90% solution that just works, for 90-95% of people and businesses that don't have extraordinary threat models
... shouldn't have to make a lot of strange choices between algorithms and key lengths
... for the few organizations that have stronger enemies, they can afford experts

moriarty: how can we create better connections within standards bodies (starting with authentication)? developer teams don't know who is using what, what's available, what the use cases are
... would like something wiki-based as a starting point, and then reach out to standards bodies
... references at wikipedia so that those other audiences will know where to go at IETF or W3C
... our work would be promoted more

<JoeHallCDT> yeah, Wikipedia can be tedious for editors

alissacooper: define the areas that seem most fruitful, but also try to prioritize those areas -- which is low-hanging fruit and which comes later
... also good to think about what not to work on

<swb> Any of us standards groups can host the wiki pages.

alissacooper: ... for example, browser fingerprinting, decide in areas where smart people have been thinking about it and maybe we need to put it aside for a while
... if there is consensus on priorities

kai: users must demand they want to be more secure; define what is easily surveillable or more difficult
... can we define standards / metrics of protection levels?

<swb> That's going to be a good point later -- creating better security does no good without upkeep

hhalpin: a lot of people are familiar with ietf/w3c but not everyone, so worth outlining the WGs that are rechartering
... Web Crypto is being rechartered, for example
... a lot of people really do want better security (anecdote: Whatsapp/Telegram)

<hhalpin> And telegram rolled their own crypto, which is rather crazy at best.

phil: need to quantify work factor, know that NSA has a limited budget

<hhalpin> http://www.thoughtcrime.org/blog/telegram-crypto-challenge/

<MacroMan> hhalpin, +1

<JoeHallCDT> we can maybe estimate from black budget... not sure helpful

dcrocker: we should worry about real usability, who will deploy it, why they will, what is necessary for users to benefit in the real world

<hhalpin> We would really like folks to review the Web Crypto API, which is nearing Last Call and will also likely recharter by end of the year

Threats

<hhalpin> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html (latest draft of Web Crypto API)

<sftcd> http://down.dsg.cs.tcd.ie/strint-slides/s1-threat.pdf

cullen: there's a ton of data being collected
... what has raised the particular issue has been pervasive collection
... IP address, MAC addresses, identifiers and content

<rigo> collected by lots of people

cullen: being collected not by any single organization, many governments
... not new

<kodonog> * audio is up, but the quality is sketchy

cullen: collected at carrier level; collected at transport level; collected at cloud service providers
... attacks are changing over time: not just passive attacks, but also active attacks
... come out of this session with a clear idea of the threat model and the attacks
... make sure we're working on things that do address the threat model
... passive attacker can listen to communications or just correlate communications between alice and bob

<JoeHallCDT> EKR's?

<swb> http://down.dsg.cs.tcd.ie/strint-slides/

cullen: mitigations: don't send the data if you don't have to; encrypt data; anonymization
... active attacker: not just observing, but also changing communications
... active attacks may actually be quite easy for the pervasive attacker to mount
... often in a good position to get themselves bogus credentials
... mitigations: authentication; have more than one way to verify who you're talking to; improving trust models
... collaborators who wittingly or unwittingly reveal information out to the attacker

<Ted_> witting or unwitting, willing or unwilling

cullen: might be directly taking keys and hand them to the attacker; or I generated keys in a way that the attacker could find out

<Ted_> sorry, witting or unwitting, *not* willing or unwilling

cullen: static key exfiltration: attacker finds out a key that is long-lived

<sftcd> nice logo on this one:-)

cullen: versus dynamic key exfiltration: where the attacker needs to obtain the keys for each communication
... content exfiltration: taking the content rather than the keys during the communication
... attackers will do all of these; we can increase the costs of these, so the attacker has to move to the more expensive attacks, or makes it more visible and increases the risk that the attacker will be 'caught'
... this is just level-setting, would like to hear from the room

barnes: make a list of the attacks, so we can scope and prioritize work based on how it addresses these attacks

stevekent: should include content in the pervasive passive attack

barnes: yes, passive definitely includes content, the metadata/correlation was what is new

stevekent: identifying classes of adversaries by their motivations and their capabilities, separate from just the threat model

wseltzer: a helpful framework; it should be part of the design process to ask and answer against which threats you are designing
... it's fair to address only some threats as long as we don't tell people we're addressing more than we are

<swb> I don't think we can/should identify classes of adversaries -- we don't know enough yet. We can understand the threat model without understanding who is doing the threatening.

<JoeHallCDT> Dave, dave, Ed, Stuart, Pete

<jphillips> Two attacker classes: those with national security letters and those without?

DThaler: far easier to detect an active attack than a passive attack, anything that helps us move from passive to attack helps in multiple dimensions

dcrocker: increasingly sensitive to distinction between handling metadata and content metadata

ted: not sure how valuable it is to classify the motivations of an attacker
... a rathole in describing the motivations, which may be controversial terms

<JoeHallCDT> NSLs are pretty retail, it seems

<JoeHallCDT> unless they come for keys, but legal minds disagree if they can get that through NSLs

stuartcheshire: glad active attacks are included -- not that hard to switch to active attacks, like airport wifi

<swb> which slide is on the screen right now?

<JoeHallCDT> summary

stuartcheshire: very tempting to talking about encryption technologies and certificates as stopping attacks
... but actually what they do is just make the attacks detectable
... what we do is throw up a certificate warning
... "that's how you know you're on the right site, because it always does that"

crowd: the russian hacker would have had a good cert

stuartcheshire: not a scalable solution to complain about certificate problems

peteresnick: let's not throw things away because they're not immediately effective
... the fact that a big cloud player starts encrypting (even if the attacker can do content exfiltration directly)
... can move our infrastructure. might establish a basis for solving bigger problems down the road

leon_kaplan: should add denial of service or jamming to encourage users to downgrade to unencrypted versions
... some attackers will just slow it down massively, which looks innocent in a developing country

<Ted_> An adjunct to Pete's comment: there may be more than one attacker. Even if there infiltration by one, that's not the same result as cleartext, which is available to all attackers.

leon_kaplan: phishing is another attack, by intelligence agencies or others

barnes: figuring out when technologies get used, like HSTS

phil: need to think of actors not as monolithic groups -- for example, individual defectors within larger organizations
... one consequence is loss of reputation, PR issues for organizations because of attacks on their users (Yahoo! in the news)

larrymasinter: don't see in the taxonomy attacks on services that are popular but don't require pervasive monitoring
... application-level security might give traffic analysis more information rather than less
... might be useful to categorize users: cognoscenti; vulnerable populations (children or elders) who might be abused;

HaroldJohnson: there's an assumption that once you're encrypted, you're safe; we think there should be security and entanglement at the application layer as well
... not sure where it fits within W3C / IAB / IETF mandate

@HaroldJohnson: not sure why we're not using public-key based routing

<hhalpin> +1 Harold Johnson: crypto does not equal security - the issue is data minimization (obsfucation)

scribe: no way to MITM

CarolVanLynx: just hold a public key qr code in front of a webcam and then there's no way to go to the wrong place

<Ted_> s/CarolVanLynx/Carlo von Lynx/ ?

GeorgeDanezis: @We have now lots of known cases authentication systems are being subverted in order to fake, access routers being subverted as well. [scribe couldn't hear/understand]

<JoeHallCDT> Damezis was talking about subversion, actively frustrating attackers?

elliot: Ted asked if the motivations of the attacker are important; motivations are important for the user/administrator to understand how much money to spend to mitigate the attack
... if I care, then I'll mitigate, otherwise I won't
... at the end of the day, it will come down to implementers and users

farrell: how should we document the threat model so that it's understood by those designing / implementing / deploying?

<Ted_> For Eliot's point, not surprisingly, I fundamentally disagree. A valid mitigation against one attacker will work against others with similar capabilities but different motivations.

joehildebrand: requirements for the threat model, interoperability is important and if we don't have that we have a denial of service attack
... has to be implementable by more than one group, so simplicity is a very important goal

barnes: interoperability serves a security function by making it testable

<swb> please remind people to state their names every time

pde: what do we do when we detect mitm? currently we show absurd error that trains people incorrectly
... solution was called sovereign keys
... bbc, eg, publishes a key in an append-only data structure
... if the user sees a key that isn't the right one, the software uses a slower but safer technique
... gave up on that for a sophisticated attacker / threat model based on China, but it might work for other models

kai: Are compromised home network devices (CPE) in-scope? [scribe didn't understand]

barnes: maybe not something for this workshop

dcrocker: the reality is that this group is always going to go for solutions
... think about higher-risk vs lower-risk solutions
... object threats vs. venue threats: payload, payload metadata, transaction metadata vs link, support infrastructure, dns

Doug_Montgomery: rather than threat model, what is the risk model?
... risks to performance, business models
... risks of attacks vs. risks of successful deployments

barnes: what are the properties/ additional considerations beyond security: performance, business model

<JoeHallCDT> as a physicist, it's probably "emanation" rather than radiation

Brian Trammel: in protocol level interactions, what do we know that we radiate vs. what do we not know that we radiate

scribe: information radiation is important because even if we solve all encryption problems, there are patterns of bits on the wire

<Ted_> No, you can't remove it, but you can make the patterns much more expensive to see.

<jphillips> or make sense of.

hannes: is this taxonomy useful? to whom?

<swb> I'm not going to try to contribute, but for this group: there are so many things you can do with the pattern of bits on the wire!

hannes: in standards, try to develop abstract building blocks that will be used in a wide variety of contexts, so motivation doesn't matter
... but does matter to the developer/deployer
... so this list could be useful in a standards group, going through the list because confidentiality is otherwise considered expensive

leon_kaplan: useful to know how expensive is each attack and each defense

<Ted_> +1 to Dr. Fluffy

fluffy: impossible to get to the motivations of attackers in this case, anti-productive. could discuss capabilities in a broad context, which might provide the same information

<swb> Eventually it'll be useful to get into motivations, but for now we know enough of them at a coarse level, and have plenty to do with what we already know about threats, regardless of motivation.

stevekent: describe classes of attacks and give them numbers so that protocol authors can describe which of the enumerated attacks they are resolving

<jphillips> Is there a list of attendees somewhere?

stevekent: motivations can be done without being pejorative; motivations of intelligence agencies for passive attacks because they don't want to be detected is still valuable

barnes: cost model of the adversary is useful

rigo: at the moment we are one step behind, have to see what people did to install pervasive monitoring
... attacker is sitting at large IXP
... tells us where encryption can be helpful

<mcmanus> queue is closed - so irc can be my platform. We talk about driving up cost of attack as a defense - but driving up cost of mitigation is an attack itself because it will bifurcate the sol space

<swb> is that ekr?

<Ted_> Yes

ekr: centralization of cloud services creates a new locus of attack
... places most secure from network attackers are least secure from attacks from government/lawful intercept
... bring in new insights to inform protocol design

<JoeHallCDT> you got it, nick

Robachevsky: threat model is so wide/pervasive -- look at the relationship of those threats, where they might be a chain and a weakest link

<hhalpin> +1 EKR. We don't want decentralized services insecure from network attackers, or centralized servers that are easily compelled by govt. attackers. I'd prefer a federated, decentralized approach based on well-reviewed standards.

<dougm> The real issue is the relative RISK model. What is the risk/ramification of a adversary exploiting a know vulnerability, vs the risk of deploying a solution. Risk of solution includes, cost, complexity, fragility, new attack vectors, etc.

<wseltzer> mcmanus, and then leave the demanders-of-greater-security part of a smaller anonymity set against traffic analysis

Robachevsky: consider use cases to identify low-hanging fruit

<swb> Kathleen Moriarty

<JoeHallCDT> and risk to user, implementer, others?

moriarty: lots of instances of full-packet capture, analysts love it

<dougm> Yes the risk of both attack and risk of solution is viewed differently by different players in the ecosystem.

barnes: how will protections affect emergency response

DThaler: one audience is W3C/etc., another audience is deployment -- this document is focusing on the first audience
... what's the incentive for someone to actually deploy something, fund mitigations

<dougm> How much additional would you pay on your broadband bill to make PM more costly to highly resourced threats?

DThaler: protecting data is one; protecting anonymity / reputation is another

barnes: lots of useful comments for how we can make this document better

<wseltzer> [catalog the threats as incentives to appeal to different parts of the corporate user, implementer, and designer communigy]

barnes: will try to improve the draft in the next little while
... what's the process for moving this forward? perpass list, etc.

farrell: need to figure out what to do with the perpass list in IETF, what are we going to do with this draft, maybe split it for the two audiences
... needs an AD sponsor

<JoeHallCDT> what's the relationship between the Barnes draft and Trammell draft?

<DThaler> protecting anonymity and protecting reputationare two different things. My point is to cover such a list of things people who need to make a deployment change care about

<wseltzer> The draft: Pervasive Attack: A Threat Model and Problem Statement

hannes: not sure this document can expand to cover this other audience

<swb> The perpass list should continue because we will need it for draft review -- see the Monday lunch meeting plan for example.

hannes: user-facing stuff is not in this document or in any others that I know of

barnes: I can be a central point for people who want to help on this document or related

<wseltzer> [break for 1/2 hour]

< half hour break, start again at 4 o'clock >

<jphillips> Where are the logs for this channel?

<swb> jphillips: | RRSAgent I have made the request to generate http://www.w3.org/2014/02/28-strint-minutes.html

<PHB> Ask to turn off the recorder for confidential stuff

<PHB> Hannes: Comsec1

<inserted> scribenick: PHB

COMSEC1

This session we are looking at how to increase usage of current COMSEC tools

Hannes: Great standards of papers, but not everything is deployed

HTTP:

Observation from Eckersley #438, CAs infastructure

<DThaler> slides at http://down.dsg.cs.tcd.ie/strint-slides/s2-comsec.pdf

% of websites using HTTPS is rather low still

SIP issues (see slides for details)

SIP might have had an attitude issue, RTCWeb might be a chance to do it right because it is a different community

(yes)

Is this better?

<swb> :)

AAA: RADIUS and Diameter

Invisible to end users, often installed by technical staff

Basic mechanisms are standardized but do people actually use them?

(end user can't tell)

What should be done

<swb> another factor is image: you don't tell people to use security measures because that means you have security problems

Solution strategies

Alternatives to CA system, opportunistic keying

Reducing operational cost, via profiles, or new key management techniques

Education problem

<Isn't requirement for education a problem in itself???>

Issue with deployment/vendor community

Bypassing

What are the low hanging fruits?

Bernard - operational requirements

Some things have been deployed, XMPP client server has benn server to server ahas not

SIO has not been deployed but it looks like XMPP, why not (too many options maybe??)

People are going to DTLS

Is (D)TLS the appropriate model or is SSH more likely to be successful?

(work at CERT) when a security issue, measure number of servers get patched

Usually get patches but usually this topps out at 50%

after that updates stop happening

Does not help to point fingers, but what does help is a web site that will audit their connection and tell them if they are secure

Verification works

<JoeHallCDT> wasn't that "gameification"?

<hildjj> BTW, we do what Aaron was asking for in the XMPP world: https://xmpp.net/

Cullen: SIP security is widely deployed but does not use the SIPS scheme

<Ted_> The difficulty with that is that the attacks may not be against the client to server piece; the server-to-server piece may be the issue, and it is much less subject to gameifcation.

… biggest problem has been getting certs easily into servers make it trivial to install cert into server click on a button and everything that needs to happen happens. It is possible and can be done

Brian:

What Cullen said

Anecdote: Set up an XMPP server throw up a free certificate

gets an F because its a free cert

If what we want is confidentiality need to make it easy for people to do

Should be certificate that does not make a representation about you

Stephen Farrell: we have tried to do this many times and screwed it up

Stuart Cheshire

Is using TLS the problem?

Not if we tell users to just ignore it

User is smart enough to analyze security violations and decide which are benign and which are benevolent?? nah

Not good enough to choose good certs cos user is not empowered

they can't choose not to use the site

One thing hew would like to do is in unison IE Safaria, Chrome, give much scarier messages to users

(pictures of bleeding cats)

Offer to be on team to do that.

<dka> +1

Jari

was getting depressed because of little deployment

<wseltzer> [it would be great to get browsers willing to talk about UI for security, and consistency of that UI]

Engineers often look at deployment,

<MacroMan> Second ? on the board in David W

businesses tend to turn things on when there is need

When security is in the headlines

they will turn on everything they can

Reason to be optimistic

Alan Johnson

Talked about sip in terms of voip and video

need to think addbout media privacy

that is what this weeks Yahoo is all about SRTP was not used

one reason is protocol other is operational

all the providers use passive monitoring, using SRTP makes them blind

to turn on SRTP need to have a flag day is not a standard

for upgrade

Steve: is that true for WebRTC?

Max Pritkin: Looking as TLS / SSHE discussion user based pining model. Here is a whole infrastructure have to deploy. All the problems of getting keys get away from what the user does look at vendors

Kai Engert: Low hanging fruits. Large number of deployments upgrade systems too infrequently. Could make it harder to monitor with more frequently patched servers. These are also facts that we have servers supporting old servers because of older browsers. We need to patch more often more quickly an make it easier for servers. Many standards already in TLS

(Scribe lost connection)

For SIP the lack of security is chosen by policy

the people deploying have reasons, which is why it is hard

Rigo:

Ceritifcates triggering just OK

The underground stops at the circle line and the conductor said: Don't look at the signalling system, this is really a circle line train, even if the signalling says it isn't. This is just the way this signalling system is.

<jphillips> (OCSP is quite broken anyway: http://thoughtcrime.org/papers/ocsp-attack.pdf)

So don't worry about the signalling system

Certificate distribution is not a technical problem, its a communication and a business problem: Money machine is in the CA system

Last time saw spooks really concerend was IPSEC, what happened to IPSec?

EKR:

Various levels of aggressiveness about warnings. Lots of reasons to override the dialogues. The Browser manufacturer have to weigh the tradeoffs. Chrome has moved their needle recently. Need to find a way to make the failure cases less common. This works when browsers know for a fact there is no valid reason to break

pins work then

<npd> I don't understand why we need a scary message at all for a self-signed cert

<npd> ... As opposed to just showing it as an insecure/unauthenticated connection

<rigo> scribenick:rigo

<JoeHallCDT> the Laurie/Goldberg draft has an idea there (which I can't summarize without skimming it again)

<PhilippeDeRyck> self-signed certs should be installable upon first use (similar to SSH), as possible in firefox (but more difficult in chrome)

PKI have a business model sustaining it, help people to deploy crypto

<PaulWouters> also prevents people from using it :P

scribe: lets get certificates in software
... disappointed that we are not talking about SMTP could be done in 6 month

sftcd: would it be worthwhile deploying crap CA service?

PHB: they don't wnat to deal with the server

<scribe> scribe:PHB

<scribe> scribenick: SCRIBE_

(got kicked out agin sorry)

Eckersley:

Do TLS scorecard for major email domains everyone in scorecard tries to do it

SMTPS

if people do opportunistic SMTPS people don't check certs, so don't do all the cert chain validations that throw up noise warnings. Zero cost easy deployment for one set of users

Eliot Lear:

Alternatives: another workshop ITAB workshop one transition has been DANE/DNSSEC incentives to get DNSSEC deployed encourage group to read it latency matters especially for HTTP latency is nonstarter Browser based think about problems as refrigerator based have to account for embedded devices

<pde> Speaking of latency, somebody mentioned DTLS as the future... which would be a pity. I think mosh shows that we can do way better...

Dave Thaler:

Misconfiguration aspect: misconfiguration is indistinguishable from attack

<azet> so,.. wanna do a raise of hands of who really trusts CAs? ;)

<dcrocker> Query to Dave? You mean Dave Thaler, speaking now?

expired cert or cert using authority not from your set IAB internal website made clickthrough requirement

<azet> i mean the stuff that's in your browser, not company internal stuff

Put pressure on organizations to make a change not to put pain in the fact of the user. Things that are not aligned with the user. We should put the pain in the right place - people who can change things. What is there was notice every time there was a click trough

[PHB: yep have a solution for that]

<grothoff> That must be the first time that browser-based DDoS was sugggested as a SOLUTION.

Wendy Seltzer:

Need to put usability of security products into the threat model

an application that people fail to use securely is insecure

<npd> Do sites not know that their users are seeing these error messages?

<npd> Would reporting back to the server help?

Sometimes just want to get to a web site

<PhilippeDeRyck> a reporting feature like CSP might help ...

if https: great. other times going to a bank and want to make sure only connecting to a bank. Can we get more of the right people thinking about the usability questions?

Patrick McManus: Wrt HTTPS, lots of talk about certs. Need to ask why there are lots of web properties only use HTTPS to redirect back to HTTP. Cert isn't issue as to why they don't do that. Twitter says t.co does not use HTTPS because web load balancer does not have referer information. Whole business model is to use that referrer information. Have made HTTPs a one stop shop is a very big upgrade for many

David Wakelin: Got an F because an untrusted cert if you get an F you see what you would get if you passed. One of the goals is to make the network fully encrypted regardless of encryption. Issue: large number of servers run by people expected to be an expert in SIPS/HTTPS. It is getting too complex

Daniel Khan Gilmore: Address low hanging fruit, 1st item is pervasive passive monitoring for HTTP only. RFC 2817 HTTP upgrade could roll out

<npd> Open source and commercial software have made it easy to deploy servers that implement complicated protocols without the single sysop understanding all the details

web browser would support, not tell user that they are using it, web admins need to make no effort. Another: Registry of which SMTP servers do offer startls so to avoind downgrade attack. Many tools allow browser fingerprinting need to think about how to roll stuff out, not to make metadata issue worse

Ted Hardie: Stumbling block problem: end user cannot tell difference between WebRTC protocol and a non Webrtc, so user can't tell whether it should be secure or not. May be able to tell if it is javascript downloaded to a browser in a web environment. Can't for an app end user won't know. Need to convince app providers to use standards or have means to tell user what category app falls into

Steve Bellovin: How many people using VPNs? Could encrypt all mail to ietf mailing list but don't. Why not? Why are you not using crypto? Because pain in the posterior to set up

Perry Metzeger, has 25 years as admin, took lot of effort to set up IPSEC for iPhone

This is a PROBLEM

<npd> smb, my hosting vendor makes it expensive and annoying to use https for my personal webpage

One set on by default

Steve Kent:

<hej> hello

Max observed earlier difference key management SSL vs TLS. SSH is used in closed environments. Less risky environments, so not fair comparison.

<ln5> "do you use encryption in every place you can?" yes, i use tor. all the time.

Larry Masinter: Low hanging fruit might be counterproductive. Very few browser vendors don't sell the browser, sell something else. My VPN stops working once a day for security

(missed it)

<Ted_1> Not sure it is low-hanging fruit, but a fruit to care about is the work being BoFed in DNSE, which intends to provide confidentiality for DNS queries

Don't think there are any low hanging fruit. Onion routing one of the best ways to deal with an attack. Not much ambition. Ambition should be within the decade have onion routing in every browser

Cullen Jennings:

What about IPSEC? OS may have understood what is going on but the application did not. IETF criticism, only bothered by what is on the wire, not in what happens elsewhere need to do a better job

<MacroMan> To be fair, easy typo

Phil Zimmerman: Educating users is daunting

<DThaler> +1 to cullen, that's one of the things we were discussing during the break

Like trying to educate people in pre litterate societies on germ theory of disease

<grothoff> IPSEC didn't happen because the NSA successfully botched the standardization process. Possibly the same reason why we talk about deploying TLS while the NSA uses NSLs and PRISM to get the data at the server.

<azet> the ipsec protocol is just incromprehensible

<azet> ...

<grothoff> That's how they made it fail.

Should try to avoid using pkis whenever possible

<azet> yes

<grothoff> Tons of options, insecure choices, etc.

<swb> audio?

<azet> best of all: downgrade attacks

<swb> oh there it is, buffered

<azet> null cipher et al

<swb> No, I just lost it again

<grothoff> Yes, but the point is that they had a hand in it, with the goal to make it fail. Why are we talking about TLS, while activists have been killed or imprisoned due to CAs being hacked?

<swb> does anyone else have audio? I'm getting a 404 now.

Why can't we use more key continuity?

<grothoff> We should talk about eliminating TLS, not deploying it.

<azet> why no key contiunity? verisign can't profit of that

<azet> :(

<MacroMan> +1

Aaron Kaplan:

Gamification, where people have that microscope

<swb> audio is back

how good is the encryption? Do they have encryption? People need microscopes. How do we produce them? define tests?

<jphillips> SSH is well-placed for TOFU because you're connecting to only one or two servers over and over again.

How should security be if works due to protocol? Define tests, Microscope test slides

<jphillips> Might not work very well at all for e.g. HTTP, when surfing and jumping from site to site.

<azet> you can't replace CAs simply with a SSH-like protocol, but i think we should work on a distributed solution instead of hirachical CAs/WoT

Harry Halpin:

<azet> i mean i do not trust them, i used to 10yrs ago

easier to convince a small group to change things than a large one

<azet> so why 1) pay for that 2) implement 300+ in browsers?!

Small group of browser vendors

<Ted_1> And mobile OSes as well.

Can get changes there. Browser test suites are effective for HTML5. Don't have test suites for security competitive space? Test suite to shame people might help. Need a test suite to show what people should be working for. Performance considerations tend to outweigh security

Stuart Bruyant Cisco Get DNS out of the equation & go back to hosts file

<azet> host files do not scale :)

EKR

<swb> boom!

3 observations:

<rigo> general bad hums on host files

We do have test suites. Sorry do think important

<grothoff> German news reported today that the German security service (BND) was hacked by a Stuxnet-like Russian malware since 2011. Sure that performance always beats security?

test sites are good but they have to be right

<jphillips> Distributed hosts file (Namecoin)?

they are often wrong. Not helpful for the wrong script! BEAST people said should use RC4. Opportunistic http is contor

<azet> jphillips: DHTs?

Mark Nottingham: It is controversial, don't need to upgrade server on Apache. Low hanging fruits is requiring TLS 1.2, requiring certain cipher suites. But there are stumbling blocks. For encryption is horrific on use side, user experience for security needs work HTTP-BIS not appropriate

Randy Bush: Phil agree that PKI sux. But don't throw tools away when we have a broken car. Trying to paint security on ex post facto, beast with 300 moving pieces. Serious protocol work to do so DNS/http uses DANE so we don't need pki. Will not transport without privacy and authenticity. not going to do it tomorrow, even if we beat stuart up (still going to do that)

<npd> I think lots of people are hesitant about standards for UX and for good reason. But in some cases the advantages might outweigh those concerns.

<hhalpin> ekr - as regards browser vendors, thanks Mozilla for hiring all barnes re Crypto API, because it appeared it was not being implemented.

<hhalpin> That being said, Personae has been dropped and not being shipped anywhere to a standards body

<hhalpin> ditto the lack of cert pinning in Mozilla is rather urgent to be fixed

<hhalpin> In fact, we have no cross-browser security test-suites

Steve Kent: As guy for IPsec, has not succeeded because access control is a critical feature have to configure whether you want plaintext or encryption or whatever designed for administrator, not end user. Don't confuse WebPKI with PKI. CAs are authoritative for nothing. DANE is authoritative for Domains. Threat model or risk model: contentious is going to be whether encouraging widespread unauthenticated will encourage MITM. Don't think it belongs in threat model, is a risk model thing

<hhalpin> And attempts to harmonize UX has failed in standards bodies at W3C due to feeling that security UI was competitive

<rigo> hhalpin, browser? security?

<npd> hhalpin, but maybe we're coming around to it being too important not to?

<hhalpin> Previous attempt: http://www.w3.org/TR/wsc-ui/

<hhalpin> Yes, I think WSC 2.0 with a test-suite around UI would make sense - if we had an agreement (help researchers and UX folks) on how to present security concerns to users

Melinda Shore: Education problem, largely true firewall traversal, it is painful and inspecting traffic desired by admins, dismissive possibility of today. Now people are worried

Max Pritkin Comment about TLS and SSH: TLS is designed for use across organisational boundary. Also used often inside organization. It is a key management solution. Others may be better. Gap between how SIP layer works and auth layer works. Turning it on has operational problems and scaling issues. Have to handle the additional load.

<grothoff> People are not merely worried, they recognize that the Internet is a system for mass surveillance, and most are simply resigned to the fact that they cannot expect to communicate privately anymore. I think that's beyond "people are worried".

<azet> grothoff: they still do not change their online behavoir w.r.t. what to write and what not to

<azet> grothoff: IMHO it's up to service providers to properly protect them

<grothoff> azet: true in many cases, but I think 90% just don't care/understand the implications of mass surveillance. Others have changed their behavior, sometimes in subtle ways.

<grothoff> My aunt doesn't want to talk on the phone with me about certain topics anymore...

Lars Eggert: Security is mandatory to implement but optional to use. Want to go to a model where it is mandatory to implement but not to secure credentials.

<jphillips> OpenSSH is only easy to use because it leaves the key management to the users, who don't bother to do key management properly.

<azet> grothoff: it's worrying if people do not care anymore

<azet> thats a social problem though

<azet> like the whole surveilance stuff in the first place

<grothoff> azet: service providers cannot protect them, as then they can be compelled. We, the technical people, have to give everybody the tools that they can protect themselves with.

Stephen Farrell: I agree. Then do it, write a BCP.

Achim Klabunde Apps that transport credentials, ones that are transporting user credentials; most important apps are blocking cert errors

<azet> apps? it's still best practice for ruby and php coders to disable certificate validation

<azet> there are thousands out there

<azet> not even joking, do a github search

Philipp Hallam-Baker: WebPKI was designed to allow people to spend money online with the same confidence they do so offline. If you're using it to protect other things, you're doing it wrong. Using clear credentials in a TLS session like some famous mail service is wrong

Peter Ekersley: Wouldn't it be nice if we could live in a world where sysadmins can just turn on SSL could do it. What is a hack that could do that? If the server has not had a cert before then just give it to them. Put giant lists of everything that has upgraded to the protocol in giant list in the sky.

<jphillips> Anecdote: Yaaic (Android IRC client) does no certificate checking (unless you use my version): no warning shown in UI, and nobody seemed to be bothered.

David Wakelin: Security on by default. (azet, yes)_ Uneducated guys running one server for low usage

<azet> is he aware of certificate-transparency?

<PhilippeDeRyck> hardcoding in the client is already done in chrome for HSTS

Eliot Lear: There has been wide ranging discussion. At risk of boiling the ocean improving the webpki experience. But IETF has shied away from UI. Do we need to work with UI people

<npd> +1 elliot

Daniel Kahn Gilmor: If people are as interested in testing or defining tests, would be interested to ttalk to you

<npd> Back in 15 minutes, be prompt!

<swb> The IETF has not "shied away" from UI. UI is not a protocol issue. The IETF intentionally stayed away from it.

<jphillips> But do complicated crypto systems tend to force tighter coupling between UI design and protocol design?

<swb> We have layering because it allows problems to be cut up and modularized. I don't think the answer is to add complexity to the UI, but rather to make the right thing be the default behavior.

<swb> but I don't know much

Policy

<kodonog> rigo: starting policy session

Rigo: policies that are influecing passive monitoring
... public perceptions of the users
... Feb 2014 poll in France says 57% in favor of surveillance
... most people think they are monitored anyway
... why are they pessimistic
... first were companies that monetized identities
... companies that are monitoring users are successful
... monitoring has become ambient
... slippery slope of increasing laws related to surveillance...
... no expectation of Privacy on the Internet anymore
... our role is to give them hope

Bernard Aboba: there are another series of laws and polices that are going in the other direction

scribe: HIPPA, Sarbanes Oxley, etc that are trying to address
... may not have been effective

<swb> That's misdirected, we can't give them hope, since the final say is governmental policy and laws.

scribe: this a biased view of the policy

<swb> We can make hope technically possible, but cannot implement hope.

<Bert> poll shows the French think PM is justified [in French]

Rigo: turn the paradigm around

<jphillips> Now how #an

Rigo: need tech changes and policy changes
... need to work together

<swb> @Bert many people around the world think it's justified. cite Ben Franklin.

<jphillips> Now how many will think PM of private webcam images is justified?

Christine Runnegar: Policy ripples

scribe: what is the impact on the internet
... what policies to we want made that will support

<swb> good point - they would like it in general and not like it in specific. (aside: the opposite of racism)

scribe: how do we ensure that policies and technologies are aligned...
... six categories (see slides as I missed them them
... example policies and emerging efforts

<DThaler> slides at http://down.dsg.cs.tcd.ie/strint-slides/s3-policy.pdf

Rigo: GCHQ and Yahoo revelation, looking at peoples videos and living rooms
... current complaint running at European Court of Human rights

<grothoff> Actually, UK minister of justice has already said it is above ECHR on a recent judgement over murder imprisonment.

<grothoff> So they'll just again say that human rights matter less in UK than in Russsia (the Russians have not taken the position that ECHR rulings do not apply to them).

Christine: legal action response to issue (appeal to EC on HR)

Rigo: ways for Europeans to cause US pain

<grothoff> Only pain ECHR can cause the UK is to throw them out of European Council. So I do not think that ECHR is a good argument here.

<scribe> ... ongoing Actions, suits

<grothoff> European treaties don't hold either, as national security concerns can be used, as EU is specifically excluded from interfering with national security issues.

<DThaler> confusingly similar to Extra-Terrestrial surveillance?

Christine: get back to the moral high ground with OECD and activities like that

<dougm> Just to be clear ... we are restoring hope to the 43% who were not in favor of surveillance?

Christine: need dialog between tech and policy communities

<grothoff> Spying on _Germany_ is not the same as spying on ordinary German citizens. Even in the cold war, it would have been wrong to spy on ordinary Russian citizens.

Rigo: is privacy a human right and universal

<swb> Not for the IETF to decide. Maybe W3C :-). This is one point where the technical and policy groups don't need to get together -- they should after the policy community decides.

Cullen Jennings: bullet saying those monitoring the most were the most successful

scribe: not sure that is true, if it is true this is all doomed

Eliot: what is for the IETF (and what is for the W3C), we are engineers, what should we be contributing

David Rodgers: at Mobile World Congress this week, where these topics were also discussed

<swb> right

scribe: others things going in world
... suggest ethics boards in standards bodies

<hildjj> We should totally have an ombudsperson.

scribe: stuff going at the ITU

<swb> ombudsentity!

scribe: China proposed using DPI with mobile malware

<DThaler> @Cullen: my counter hypothesis is that the most economically successful entities are where the _risk of disclosure_ is highest.

scribe: proposal from Ukraine backed by Russia to put the IMI database in the ITU and maybe MAC addresses as well
... rationale is for countering conterfeiting
... problem with ITU is that they have the power of regulation

<swb> iiuc SIP URIs for 3G-connected phones already contain IMEIs.

scribe: at what point would we give up our privacy

Joe Hall (CDT): very aspirational and very hopeful, but what is actually happening is pretty depressing

scribe: a bunch of examples

PHB: I trust strong crypto more than I trust governments to protect privacy

<ldaigle> @scribe — Achim (EU data protection guy)

Achim: a lot of misinformation distributed in the US about the legal situation in Europe
... paper #64 to bring policy together, less idealistic approach than what was in Rigo's slides

<grothoff> https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf

Alissa Cooper: for engineers in the IETF/W3C, it is useful to have conduits to what is going on in Policy land

scribe: if there are problems with how IETF/ISOC, we could draw down on this

<dougm> Do we have concerns about complicating legal/lawful intercept?

scribe: no what we are here today and tomorrow to do

<grothoff> German government can't protect its own NSA from the Russians, how can they protect their citizens against the NSA?

Phil Zimmerman: what can Germans do to try to limit US spying...

scribe: we worked together to win the crypto wars 10 years, and now we need to do the same for surveillance

George Danezis UCL - we should no propagate the fiction that domestic law can solve this

Dave Crocker: reference to regaining the moral high ground, has demonstrated why we should stay away from it

Dana (Oxford University): alot of lessons from the attempted criminalization from strong cryptography

scribe: second point, alot of what we need to counter surveillance is there but it doesn't have teeth

Jari Arkko: what of this belongs to organizations like IETF/W3C

scribe: what we say/do privately is different than what we do publicly
... we have to inform people
... sometimes we have to take a position

Stewart Bryant: assumption is that collection of metadata is a bad thing

scribe: collection of telephone data has served us well
... we need to find ways to enable that collection of metadata in a way that is safe and secure

Nick Doty: where we could make progress on the policy side, ask governments to non-interfere or non-sabatoge packs for our standards

scribe: we can make the technical and the moral case

Ted Hardie: no technical solution should depend on a policy approach

scribe: disagree that there is no moral good to be discussed here
... anything that obstructs the ability to have open connection
... needs to be seen in the harms humanity realm

<npd> +1 Ted

David Carlo von Lynx : should a government agency be able to influence <something>

max: pirate party (missed comment - sorry)

Rigo: need informed discussion...

<swb> Yes exactly. We make privacy _possible_

Rigo: question your own role in the policy debate

Christine: wrap up and beef

Stephen: what breakouts for tomorrow?

Dave Crocker: Certs without Certs

scribe: the problems with certificates that we are having now, simpler solutions

Aran: measuring and testing

Brian Trammel: some of the topics overlap should we combine

Larry Masinter: Aggregation of ?

@@@@ clean slate approach

<DThaler> "What is research" sounds like a research question...

Kenny Patterson: Research break out - what research topics would be useful

<jphillips> Or philosophy…

Stewart Cheshire: displaying certificate errors doesn't empower the users, it empowers the administrator

scribe: causes error fatigue (see paper #47)

Stewart Cheshire: UI changes.. fix might not be UI changes...

Stephen: poll on breakout choices

See also: Minutes from Day 2

[End of minutes]

Minutes of the STRINT workshop, written at the meeting and updated thereafter,
CVS log) $Id: 28-strint-minutes.html,v 1.11 2014-03-05 20:29:10 rigo Exp $